Story image

Thycotic debunks top Privileged Access Management myths

23 Apr 2019

Article by Thycotic chief security scientist and CISO Joseph Carson

Cybercriminals have an arsenal of tools at their disposal and an almost endless variety of system vulnerabilities they can exploit to breach their targets.

In most cases, however, security incidents can be traced back to the use of compromised user accounts.

The Verizon 2018 Data Breach Investigations Report, for example, found that 81% of data breaches involved the use of stolen or weak passwords.

Another report from Gartner revealing its Top IT Security Projects for 2019 listed Privileged Access Management (PAM) – which locks down and monitors access to user accounts, among other things – as the number one project.

Organisations have traditionally protected their networks with firewalls, VPNs, access controls, IDS, IPS, SIEMs, email gateways and so forth, building multiple levels of security on the perimeter.

Technologies like cloud, mobile and virtualisation, however, now make the security boundaries of an organisation blurry and the traditional security perimeter is no longer such an effective cybersecurity control.

With a limited budget, IT security staff are continuously searching for ways to protect the data they have been entrusted with while looking to add value to the business.

Privileged Access Management is proving to be the new cybersecurity perimeter and an effective solution to reduce organisations’ business risks from cyber-attacks.

Privileged Access encompasses access to computers, networks and network devices, software applications, digital documents and other digital assets that upper management, IT administrators and service account users have.

This access allows more rights and permissions than those given to standard business users.

‘Standard’ business users often have more rights than they really need – something PAM also addresses.

Privileged access is the access most often targeted by cybersecurity threats because this access leads to the most valuable and confidential information, such as customer identities, financial information and personal data.

So why does Gartner also estimate that only 40% of organisations have implemented Privileged Access Management practices for all enterprise use cases?

The reason is PAM’s complex past and a number of misconceptions that have sprung up as a result.

Misconception #1: Implementing PAM is too complex

A complex reputation for PAM solutions dates back to an earlier time.

Legacy PAM software was often overly complicated, leading to needlessly difficult implementations.

Installations could take several months to finish, with some cases taking years or simply remaining incomplete.

These older iterations could also be extremely resource-heavy, requiring the efforts of multiple expensive specialists.

Many IT teams decided that PAM was not worth it, while those that persevered are still bitter about all the grief the process caused them.

Of course, most of these experiences stem from a different era of security, where organisations could more comfortably rely on their firewall to keep attackers away from their networks and privileged accounts.

While many IT veterans may still bear well-earned grudges against early PAM tools, they can no longer afford to shun the approach in the current security climate.

The good news is that PAM solutions have evolved to become much easier to implement and use.

Many are now designed for out-of-the-box deployment, enabling IT teams to get them up and running quickly without the need for expensive specialists.

The best tools are also built to be flexible and scale with the organisation as it grows and its security needs change.

Misconception #2: PAM makes things harder for users

This misconception also dates back to the days before the advent of easy-to-use PAM solutions with features like password management aimed at improving user experience.

Cybersecurity has never been a positive security experience for most employees.

In many organisations there is tension between employees and the cybersecurity team due to the negative impact that many solutions have on productivity, resulting in employees looking for ways around them and increasing risk.

Many employees suffer from cyber fatigue – the frustration experienced in juggling scores of online accounts with multiple (and supposedly strong) passwords.

In many cases, individuals feel so frustrated that they give up trying to manage things safely and default to using the same passwords for multiple accounts, sharing passwords with family members, and logging on to the Internet using their social media accounts.

IT security staff should be looking for ways for employees to have a better experience with security, and the best way to do this is to implement PAM solution.

This will help remove one of the biggest causes of cyber fatigue and will generate new passwords and rotate them when they are stolen or compromised, which these days could be as often as every week.

Misconception #3: PAM is just another cost to the business

Because they only reduce risk, most organisations spend valuable budget on cybersecurity solutions that typically add no additional business value.

However, the right PAM solution actually makes employees more productive by giving them access to systems and applications faster and more securely.

Implementing a PAM solution secures access to sensitive systems and reduces the risk of getting compromised by disclosed passwords on the dark web. PAM also reduces cyber fatigue and simplifies the process of rotating and generating new complex passwords.

All of these save valuable employee time which translates directly into cost savings for the business.

One of the major reasons that Privileged Access Management has been listed as the number one security project for organisations is that it saves them time and money – both of which can go back into their cybersecurity efforts – enabling cybersecurity teams to get more done with the same budget.

Although some IT veterans may still feel compelled to delay PAM, choosing the right solution will enable them to gain full control over their privileged accounts without reliving the pain they may have experienced in the past.

Exploring the different needs for cloud services across Europe
Although digital transformation is happening across Europe, each country continues to have its own IT needs and the different cloud markets highlight this.
Ping Identity offerings accelerates cloud MFA and SSO adoption
90% of respondents trust MFA as an effective security control to protect identity data in public clouds, yet only 60% of organisations have formally adopted it.
Trend Micro introduces cloud and container workload security offering
Container security capabilities added to Trend Micro Deep Security have elevated protection across the DevOps lifecycle and runtime stack.
Veeam joins the ranks of $1bil-revenue software companies
It’s also marked a milestone of 350,000 customers and outlined how it will begin the next stage of its growth.
Veeam enables secondary storage solutions with technology partner program
Veeam has worked with its strategic technology alliance partners to provide flexible deployment options for customers that have continually led to tighter levels of integration.
Veeam Availability Orchestrator update aims to democratise DR
The ability to automatically test, document and reliably recover entire sites, as well as individual workloads from backups in a completely orchestrated way lowers the total cost of ownership (TCO) of DR.
EXCLUSIVE: Forcepoint global channel chief talks strategy
As a solution sold 100% via the channel, cybersecurity solutions company Forcepoint places a strong emphasis on its partner relationships.
Salesforce continues to stumble after critical outage
“To all of our Salesforce customers, please be aware that we are experiencing a major issue with our service and apologise for the impact it is having on you."